The Scripps Health 2021 Ransomeware Attack

Scripps Health (Scripps), a health system based in San Diego, was subject to a cyberattack in which unauthorized parties gained access to its network and deployed ransomware. The health system was forced to take its systems offline for several weeks.

In an op-ed, Scripps’ CEO indicated that the electronic medical record application was not compromised in the attack. However, protected health information – such as names, addresses, birthdates, and health insurance data – was exposed.

As of late June, four class action lawsuits were filed on behalf of impacted patients. The lawsuits essentially claim that the health system failed in its duty to protect patient information and thereby exposed patients to risks such as identity theft and medical fraud.

At least one of the lawsuits alleges that Scripps received repeated warnings and alerts related to protecting and securing sensitive data. It claims that Scripps “knew or should have known that its electronic records would likely be targeted by cybercriminals” and failed to take appropriate steps to safeguard protected health information.

The lawsuit also claims that Scripps could have prevented the breach by “properly securing and encrypting” the data. The parties to the lawsuit ask that Scripps pay $1,000 per violation, up to $3,000 in damages per plaintiff and class member, and other costs.

This incident should serve as another reminder to Compliance, Privacy, and Security Officers of the importance of working together to prevent similar problems in their organizations. Failure to do so can result in significant undesirable costs.

For more information on this topic, please contact Richard Kusserow at [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.